Does Istio support proxy protocol?

Question

Does Istio support proxy protocol?

I set a gateway behind an haproxy with TCP forwarding and proxy protocol ("send-proxy" flag) but it doesn't work.

I know Envoy supports it but it seems that Istio doesn't.

If it doesn't support it, is there another way to retrieve the source IP?

Thanks for your help.

Answer 1

You may have to apply this:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: proxy-protocol
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: LISTENER
    patch:
      operation: MERGE
      value:
        listener_filters:
        - name: envoy.listener.proxy_protocol
        - name: envoy.listener.tls_inspector

As my istio ingress gateway is behind AWS ELB, I also had to enable proxy protocol on ELB:

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  namespace: istio-system
spec:
  profile: default
  components:
    ingressGateways:
      - name: istio-ingressgateway
        namespace: istio-system
        enabled: true
        # Copy settings from istio-ingressgateway as needed.
  values:
    gateways:
      istio-ingressgateway:
        serviceAnnotations:
          # Note that Helm values (spec.values.gateways.istio-ingressgateway/egressgateway)
          # are shared by all ingress/egress gateways.
          # If these must be customized per gateway,
          # it is recommended to use a separate IstioOperator CR

          # Enable Prox protocol
          service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"

If you will miss envoy.listener.tls_inspector you will get:

curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to xxx
openssl: no peer certificate available